[Pkg-mediawiki-commits] r301 - in mediawiki/sid-sec/debian: . patches
Thorsten Glaser
tg at alioth.debian.org
Fri Jan 20 16:18:44 UTC 2012
Author: tg
Date: 2012-01-20 16:18:44 +0000 (Fri, 20 Jan 2012)
New Revision: 301
Removed:
mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch
Modified:
mediawiki/sid-sec/debian/changelog
mediawiki/sid-sec/debian/patches/series
Log:
revert one of the recent patches, 1.15 was unaffected and it broke things
Modified: mediawiki/sid-sec/debian/changelog
===================================================================
--- mediawiki/sid-sec/debian/changelog 2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/changelog 2012-01-20 16:18:44 UTC (rev 301)
@@ -1,3 +1,14 @@
+mediawiki (1:1.15.5-7) unstable; urgency=high
+
+ * debian/patches/CVE-2011-4360.patch: remove – the information
+ disclosure does not happen on 1.15 and the patch would not
+ work anyway because the OutputPage object has no setTitle
+ method (this prevents a PHP fatal error when someone has no
+ permissions, instead reverting to the pre-1:1.15.5-4 behaviour
+ of showing a page asking the user to log in)
+
+ -- Thorsten Glaser <tg at mirbsd.de> Fri, 20 Jan 2012 17:13:28 +0100
+
mediawiki (1:1.15.5-6) unstable; urgency=low
[ Thorsten Glaser ]
Deleted: mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch 2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch 2012-01-20 16:18:44 UTC (rev 301)
@@ -1,31 +0,0 @@
-Description: CVE-2011-4360
- Alexandre Emsenhuber discovered an issue where page titles on private
- wikis could be exposed bypassing different page ids to index.php. In the
- case of the user not having correct permissions, they will now be
- redirected to Special:BadTitle.
-Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
-Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
-Bug-Debian: http://bugs.debian.org/650434
-Forwarded: not-needed
-Last-Update: 2011-11-30
-
-
---- mediawiki-1.15.5.orig/includes/Wiki.php
-+++ mediawiki-1.15.5/includes/Wiki.php
-@@ -149,6 +149,16 @@
- # the Read array in order for the user to see it. (We have to check here to
- # catch special pages etc. We check again in Article::view())
- if( !is_null( $title ) && !$title->userCanRead() ) {
-+ // Bug 32276: allowing the skin to generate output with $wgTitle
-+ // set to the input title would allow anonymous users to
-+ // determine whether a page exists, potentially leaking private data. In fact, the
-+ // curid and oldid request parameters would allow page titles to be enumerated even
-+ // when they are not guessable. So we reset the title to Special:Badtitle before the
-+ // permissions error is displayed.
-+ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
-+ $output->setTitle( $badtitle );
-+ $wgTitle = $badtitle;
-+
- $output->loginToUse();
- $output->output();
- $output->disable();
Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series 2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/patches/series 2012-01-20 16:18:44 UTC (rev 301)
@@ -13,7 +13,6 @@
CVE-2011-1579.patch
CVE-2011-1580.patch
CVE-2011-1587.patch
-CVE-2011-4360.patch
CVE-2011-4361.patch
khtml_not_ff9.patch
CVE-2012-0046.patch
More information about the Pkg-mediawiki-commits
mailing list